Zero Client Device with Integrated Secure KVM Switching Capability

ABSTRACT

System and method for zero client communications. A zero client device includes a housing, and in the housing, a transcoding processing unit (transcoder) and a communications processing unit coupled to the transcoder. The transcoder is configured to receive input data from human interface device(s), encode the input data, and provide the encoded input data to the communications processing unit for transmission over a network to a server. The communications processing unit is configured to receive the encoded input data from the transcoder, transmit the encoded input data over the network to the server, receive output data from the server, and send the output data to the transcoder. The transcoder is further configured to receive the output data from the communications processing unit, decode the output data, and send the decoded output data to at least one of the human interface devices.

PRIORITY DATA

This application claims benefit of priority to U.S. ProvisionalApplication Ser. No. 61/494,192, titled “Zero Client, Secure Switching,and Mobility Functionality in a Networked Computer System”, filed Jun.7, 2011, whose inventors are Syed Mohammad Amir Husain and Randy P.Printz, which is hereby incorporated by reference in its entirety asthough fully and completely set forth herein.

This application also claims benefit of priority to U.S. ProvisionalApplication Ser. No. 61/545,640, titled “Zero Client, Secure Switching,and Mobility Functionality in a Networked Computer System”, filed Oct.11, 2011, whose inventors are Syed Mohammad Amir Husain and Randy P.Printz, which is hereby incorporated by reference in its entirety asthough fully and completely set forth herein.

FIELD OF THE INVENTION

The present invention relates generally to networked computing systemsin which a plurality of human interfaces are coupled via a network to aplurality of computer systems, e.g., co-located or centralizedcomputers, e.g., blade computers, and more specifically, to variousembodiments of a zero client system implementing such interfaces.

DESCRIPTION OF THE RELATED ART

Many commercial businesses and enterprises make extensive use ofpersonal computers (PCs) in their daily operations. Typically, each userof a PC in the enterprise has a networked PC at his/her desk or workarea. As the number of networked computer systems utilized in anenterprise increases, the management of resources in the network maybecome increasingly complex and expensive. Some of the manageabilityissues involved in maintaining a large number of networked computersystems may include ease of installation and deployment, the topologyand physical logistics of the network, asset management, scalability(the cost and effort involved in increasing the number of units),troubleshooting network or unit problems, support costs, softwaretracking and management, as well as the simple issue of physical space,be it floor space or room on the desktop, as well as security issuesregarding physical assets, information protection, software control, andcomputer virus issues.

Many of these issues may be addressed by centralizing the locations ofthe PCs, such as by installing multiple PCs into a central frame orcabinet, and locating each PC's human interface (e.g., keyboard, displaydevice, mouse, etc.) at a respective remote location, e.g., more than 10or 20 feet from the computing system. In one approach, each computer inthe system may be a “computer on a card”, also referred to as a computerblade or “blade”. In other words, each computer may be comprised on acircuit card that may include standard computing system components suchas a CPU, memory, power supply, and network interface, as well as anextender, e.g., a USB or PCI extender, for communicating with the remotehuman interface. A computing system in which a plurality of humaninterfaces are coupled via a network to a plurality of centralizedcomputer blades is referred to herein as a blade computing system.

One type of networked computing system that is increasingly utilized isreferred to as a “cloud system”, in which multiple users accessserver-provided computer resources over a network, e.g., storage,processing tasks, applications, etc. Client systems coupled to the“cloud” may utilize provided resources without regard to which server(or even how many servers) provides the resources.

Some network based computing systems implement or utilize particulartypes of client/server architecture referred to as thin client or zeroclient. Thin and zero clients rely substantially or entirely upon theserver for performing data processing tasks. The thin or zero clientsupports user interface functionality, e.g., presenting information tothe user, e.g., via display, speakers, etc., receiving user input fromthe user via input devices, and providing user input to the server,etc., while the server performs most or all of the data processing. Notethat thin clients may run a full operating system (OS), whereas zeroclients generally do not, e.g., a zero client's OS may be a minimal orstripped down OS, such as a kernel that primarily initializes networkcommunications/protocol and manages/displays I/O to and from theserver(s) over the network. A cloud client may be considered a subtypeof zero client.

Another current trend in computer network technologies is the use ofvirtual machines. Virtual machines (VMs) are software processes orenvironments that implement a “computer within a computer”, where, forexample, the VM may execute a different operating system or eveninstruction set from its host computer. A client (and its user) mayinteract with and perceive the VM as a physical machine, although it isactually a software process.

However, in prior art zero client systems and VMs, there are numerousfunctionalities that are not implemented, and thus not available tousers of these systems.

SUMMARY

Various embodiments of a zero client device are described. The zeroclient device may include a housing, a transcoding processing unitincluded in the housing, and a communications processing unit, alsoincluded in the housing and coupled to the transcoding processing unit.Being a zero client device, it has no user-modifiable storage medium,although it may include various memory elements for operation of thedevice. Similarly, the device does not include a conventional operationsystem. The transcoding processing unit and the communicationsprocessing unit may be implemented on respective circuit boards, i.e.,on a first circuit board and on a second circuit board, respectively.

in some embodiments, a zero client device may include a housing, atranscoding processing unit included in the housing, and acommunications processing unit, also included in the housing and coupledto the transcoding processing unit. Being a zero client device, it hasno user-modifiable storage medium, although it may include variousmemory elements for operation of the device. Similarly, the device doesnot include a conventional operation system.

The transcoding processing unit or the communications processing unitmay instantiate a zero client session with a server or other networkaccessible device over a network. In some embodiments, the transcodingprocessing unit may be configured to receive input data from one or morehuman interface devices, encode the input data, and provide the encodedinput data to the communications processing unit for transmission overthe network to the server.

The communications processing unit may be configured to receive theencoded input data from the transcoding processing unit, transmit theencoded input data over the network to the server, receive output datafrom the server over the network, and send the output data to thetranscoding processing unit.

The transcoding processing unit may be further configured to receive theoutput data from the communications processing unit, decode the outputdata, and send the decoded output data to at least one of the one ormore human interface devices.

Note that the above is but one exemplary embodiment, and that otherembodiments are also contemplated, as described below. For example, invarious embodiments, various functionalities may be integrated into thezero client device, including, for example, one or more of: VirtualPrivate Network (VPN) functionality for securely connecting to a serverover a network, network authentication capability, wireless capability,assignment of an IP address to the zero client device based on a MACaddress, one or more serial or parallel ports, USB bandwidthaugmentation and support for out-of-band capabilities, multiple displayadaptors, remoting hardware, and I/O devices to extend displaycapabilities, Bluetooth capability, GPS (Global Positioning System)capability, multi-boot capability to allow use of multiple zero clientprotocols from the same zero client device, secure KVM(keyboard/video/mouse) switching capability, or a network controlledserial/audio switch, among others.

BRIEF DESCRIPTION OF THE DRAWINGS

A better understanding of the present invention can be obtained when thefollowing detailed description of the embodiment is considered inconjunction with the following drawings, in which:

FIG. 1 illustrates integration of Virtual Private Network (VPN)capability into a zero client device, according to one embodiment;

FIG. 2 illustrates integration of network authentication capability intoa zero client device, according to one embodiment;

FIG. 3 illustrates integration of wireless capability into a zero clientdevice, according to one embodiment;

FIG. 4 illustrates assignment of an IP address to a zero client devicebased on a MAC address, according to one embodiment;

FIG. 5 illustrates integration of one or more serial or parallel portsinto a zero client device, according to one embodiment;

FIG. 6 illustrates USB bandwidth augmentation and support forout-of-band capabilities in a zero client device, according to oneembodiment; and

FIG. 7 illustrates integration of multiple display adaptors, remotinghardware, and I/O devices with a zero client device to extend displaycapabilities, according to one embodiment;

FIG. 8 illustrates integration of Bluetooth capability into a zeroclient device, according to one embodiment;

FIG. 9 illustrates integration of GPS capability into a zero clientdevice, according to one embodiment;

FIG. 10 illustrates integration of multi-boot capability into a zeroclient device to allow use of multiple zero client protocols from thesame zero client device, according to one embodiment;

FIG. 11 illustrates integration of secure KVM (keyboard/video/mouse)switching capability into a zero client device, according to oneembodiment; and

FIG. 12 illustrates a network controlled serial/audio switch, accordingto one embodiment.

While the invention is susceptible to various modifications andalternative forms, specific embodiments thereof are shown by way ofexample in the drawings and are herein described in detail. It should beunderstood, however, that the drawings and detailed description theretoare not intended to limit the invention to the particular formdisclosed, but on the contrary, the intention is to cover allmodifications, equivalents, and alternatives falling within the spiritand scope of the present invention as defined by the appended claims.

DETAILED DESCRIPTION OF EMBODIMENTS

As used herein, the term “zero client” refers to an endpoint devicewhich does not have a conventional operating system, has no removablestorage, and has no independent operational capability other than actingas a decoder or receiver for a computing experience that executes on aremote server, workstation, or blade computer, and is transmitted over anetwork to the zero client. The protocols employed to transmit anddecode this experience may include PCoIP, HDX, RemoteFX, or others, asdesired. The terms “processing unit” and “functional unit” refer to anytype of computational element, such as a processor (embedded orotherwise), application specific integrated circuit (ASIC), or FieldProgrammable Gate Array (FPGA), among others. As noted above, a cloudclient is considered to be a subtype of zero client, and may support orimplement a cloud specific protocol to communicate with a cloud over anetwork.

Below are presented descriptions of innovative systems and techniquesthat provide benefits not available in the prior art. It should be notedthat in various different embodiments, any of the various features andfunctionalities described below may be used or omitted. In other words,any and all different combinations and subsets of the features andfunctionalities disclosed herein are contemplated and considered to bewithin the scope of this document.

Zero Client System

Typically a zero client device accepts input from a user or from aprogram, which may be referred to as a connection broker, to determinewhich host system (remote server) it is to connect to. To enable variousof the functions and novel features described herein, such asout-of-band USB ports, additional displays via USB to video adaptors,and so forth, a zero client device is described that includes atranscoding processing unit (described in detail below) and a secondaryprocessing unit, e.g., an embedded processor (referred to herein as acommunications processing unit, and described in detail below) isnecessitated.

In some embodiments, the transcoding processing unit may be implementedon a first circuit board, and the communications processing unit may beimplemented on a second (separate) circuit board. This particular novelarchitecture may facilitate or even necessitate various functions andfunctionalities disclosed herein.

In some embodiments, software (i.e., program instructions) may beprovided that runs on (or is configured on) the communicationsprocessing unit which is executable or configured to a) detect theconnection state of the zero client transcoding processing unit b) ifthe zero client transcoding processing unit is connected to a remotehost, obtain the IP address or hostname of the remote host, and c)initiate a connection to a host process (e.g., software program) whichmay be pre-installed on the remote host to enable the out-of-bandcommunication channel.

This capability may thus alleviate the need for an end-user to manuallyconnect the zero client transcoding processing unit to a host, and thenalso launch a secondary manual connection to enable the communicationsprocessing unit to connect to the same host. In fact, in manyenvironments, the end user may not even be aware of the hostname or theIP address of the remote system to which he/she is connecting. Thisautomatic detection of a remote host and automatic out-of-bandconnection instantiation process provides significant benefits over theprior art.

Accordingly, in some embodiments, a zero client device may include ahousing, a transcoding processing unit included in the housing, and acommunications processing unit, also included in the housing and coupledto the transcoding processing unit. Being a zero client device, it hasno user-modifiable storage medium, although it may include variousmemory elements for operation of the device. Similarly, the device doesnot include a conventional operation system.

The transcoding processing unit or the communications processing unitmay instantiate a zero client session with a server, or other networkaccessible device over a network.

In some embodiments, the transcoding processing unit may be configuredto receive input data from one or more human interface devices, encodethe input data, and provide the encoded input data to the communicationsprocessing unit for transmission over the network to the server.

The communications processing unit may be configured to receive theencoded input data from the transcoding processing unit, transmit theencoded input data over the network to the server, receive output datafrom the server over the network, and send the output data to thetranscoding processing unit.

The transcoding processing unit may be further configured to receive theoutput data from the communications processing unit, decode the outputdata, and send the decoded output data to at least one of the one ormore human interface devices.

Note that the above is but one exemplary embodiment, and that otherembodiments are also contemplated, as described below.

It should be further noted that the various techniques and systemsdisclosed herein may include new combinations of hardware devices andnew software (which may include program instructions implemented inprogrammable hardware, such as an FPGA) that utilizes the devices toprovide novel and useful functionality. Thus, for example, in someembodiments, the novelty of the systems and methods disclosed is notlimited merely to the described combinations of the hardware, but alsoincludes special software that automates the workflow required to detectthe remote system to which the zero client transcoding processing unitis connected, and to cause the communications processing unit (e.g.,embedded processor) that handles out-of-band communication for USB, USB2 VGA, USB 2 Parallel, or other forms of communication, to connect tothe same remote host. Accordingly, appropriate software may be residentor available on the remote host to facilitate this connection. In otherwords, the remote host may include server software such that theout-of-band connection has a server process to connect to which enablesthe transit of data between remotely connected ports/peripherals (of thezero client device) and the host with which the zero client transcodingprocessing unit has established a user session/connection.

FIG. 1—Integration of VPN Capability into a Zero Client Device

FIG. 1 illustrates one embodiment of a novel architecture for a clientsystem, such as a zero client device, which may be referred to hereinfor brevity as simply the “client”. More specifically, FIG. 1illustrates integration of Virtual Private Network (VPN) capability intoa zero client device, according to one embodiment. In preferredembodiments, the zero client device is comprised in a housing, i.e., acase or enclosure, with electrical and data connections or ports forconnecting to other devices.

As FIG. 1 shows, in this embodiment, a zero client may be configured tocouple to a host computer or VM over a network, e.g., the Internet, aLocal Area Network (LAN), etc., and may be further configured to coupleto various human interface devices (HIDs), e.g., a display, keyboard,and mouse (or any other human interface device(s), as desired), as wellas one or more serial (e.g., USB) devices, as indicated by the serialI/O element. It should be noted, however, that the embodiment shown ismeant to be exemplary only, and is not intended to limit the client orits connectivity to any particular set if HIDs, any particular network,or any particular type of host computer or VM. Moreover, the hostcomputer or VM may be comprised in any of various networked computersystems, e.g., may be part of a cloud system, a co-located bladecomputer system, localized or distributed data center, etc., as desired.

As shown, in one embodiment the client may include a transcodingprocessing unit, included in the housing and implemented on a firstcircuit board, as well as a communications processing unit, alsoincluded in the housing, and coupled to the transcoding processing unit.The communications processing unit may be implemented on a secondcircuit board. In various embodiments, the transcoding processing unitmay be implemented as an FPGA, an ASIC, and/or a processor, amongothers, as desired. The transcoding processing unit may be configured toperform decoding of a video signal received from a source computer orvirtual machine, an audio signal received from a host, i.e., a sourcecomputer or virtual machine, and/or additional signals from the host, asa USB (Universal Serial Bus) or peripheral bus signal). As noted above,the zero client device may have no user-modifiable storage medium.

The communications processing unit may also be implemented in any ofvarious ways, e.g., a processor, an FPGA, and/or an ASIC, among others.The communications processing unit may include Virtual Private Network(VPN) software for securely connecting to devices over a network. In oneexemplary embodiment, the communications processing unit may be orinclude an embedded processor running VPN (Virtual Private Networking)software that functions as an Internet (or other network) gateway forthe transcoding processing unit, where the VPN software is stored orimplemented in firmware or other type of memory in or of thecommunications processing unit. Note, however, that in otherembodiments, the VPN functionality may be implemented differently. Forexample, in some embodiments where the communications processing unit isimplemented with a programmable hardware element, such as an FPGA, theVPN functionality may be implemented in hardware, e.g., may beimplemented as part of the hardware configuration, e.g., via a netlist,e.g., generated based on software. More generally, the communicationsprocessing unit may implement integrated VPN functionality (referred togenerally as VPN software) via any means desired.

In other words, the communications processing unit may be configured tointerface with the network, and may execute virtual private network(VPN) software (or may otherwise implement VPN functionality), or othernetworking software. Thus, the communications processing unit mayprovide for network communications with the host computer or VM, and insome embodiments, may include integrated secure network connectivityfunctionality via the VPN software (or other implementation). Suchnetwork security functionality being integrated directly into the zeroclient device may provide cost savings for users, and further, maypreemptively prevent security problems that could arise due to ignoranceor naïveté on the part of the client user.

The communications processing unit may be configured to determine anidentifier of a server to which connection is desired. In oneembodiment, the transcoding processing unit may be configured toinstruct the communications processing unit to instantiate a VPN sessionwith the server. The communications processing unit may be configured toinstantiate the VPN session with the server via the VPN software inresponse to the instruction from the transcoding processing unit. TheVPN session may enable communications between components or devicesconnected to the communications processing unit and any systems ornetworks to which the server provides access.

The transcoding processing unit may be configured to instantiate a zeroclient session with the server via the VPN session. In other words, thetranscoding processing unit may utilize the established VPN session toinstantiate the zero client session.

In some embodiments, the transcoding processing unit may be furtherconfigured to receive input data from one or more human interfacedevices, encode the input data, and provide the encoded input data tothe communications processing unit for transmission over the network tothe server via the zero client session. Accordingly, the communicationsprocessing unit may be configured to receive the encoded input data fromthe transcoding processing unit, transmit the encoded input data overthe network to the server via the zero client session, receive outputdata from the server over the network via the zero client session, andsend the output data to the transcoding processing unit. The transcodingprocessing unit may be further configured to receive the output datafrom the communications processing unit, decode the output data, andsend the decoded output data to at least one of the one or more humaninterface devices.

Thus, as FIG. 1 indicates, the zero client cevice may receive userinterface signals or commands via the HIDs, e.g., keyboard, mouse,microphone, touch-screen or pad, etc., which the transcoding processingunit may encode for transmission to the host computer or VM via thecommunications processing unit. Conversely, as noted above, the clientmay receive signals (e.g., data) from the host over the network via thecommunications processing unit. These signals may have been encoded bythe host for transmission over the network, and the transcodingprocessing unit may decode these signals and provide the decoded signalsto one or more interface devices as appropriate, e.g., a display ormonitor, speakers, and so forth. As also noted above, the signals thatthe client may receive and decode may include video signals for displayon the display or monitor, and audio signals for presentation byspeaker(s). Moreover, as also mentioned above, in some embodiments, theclient may also be configured to receive and decode additional signals,such as a USB (Universal Serial Bus) or peripheral bus signal. Thus, forexample, additional devices may be coupled to the client for provisionof further functionality, e.g., scanners, cameras, bar code readers, andso forth, as desired.

It is important to note that the novel embodiments contemplated anddisclosed above are not limited simply to the integration of a VPNdevice with a zero client device within a single housing. As notedabove, an important novel aspect of embodiments of the present systemand method is the integration of connection functionalities into aunified software connection interface of the system (zero clientdevice), such that when a user initiates a connection to a remote host,the VPN is automatically instantiated and connected, after which theactual zero client connection may take place (i.e., the zero clientconnection between the transcoding processing unit and the remote host).This is significant because without the instantiation of the VPNconnection, the remote system to which the zero client communicationsprocessing unit is attempting to connect may not even be visible on thenetwork by virtue of being behind a firewall. In other words, it is onlythe automatic instantiation of the VPN connection via the unifiedconnection interface disclosed herein that configures the VPN connectionappropriately prior to the zero client transcoding processing unitattempting to establish a connection.

In one exemplary embodiment, the technique may be implemented asfollows:

The zero client device (which includes integrated VPN software runningor implemented on the communications processing unit) may present a userinterface which queries or prompts the user for his/her logincredentials, or alternatively, the name of a remote system to which aconnection is desired.

If the user provides login credentials, the interface, running on thezero client transcoding processing unit (or communications processingunit), may contact a connection broker to obtain the IP address orhostname of the remote system to connect to. If the user provides the IPaddress or the hostname of the remote system, this information may beused directly to establish the connection. Alternatively, the IP addressor hostname may be retrieved from a configuration file.

It should be noted that in various embodiments, the acquisition of theIP address or the hostname of the remote system may be performed byeither or both of the communications processing unit and the transcodingprocessing unit. For example, either (or both) of these units mayexecute software (or have configured hardware) that presents a graphicaluser interface (GUI) to the user via which the user can provide the IPaddress or hostname, or via which the user may invoke retrieval fromanother source, e.g., a broker or configuration file. Similarly, either(or both) of the units may execute software (or have configuredhardware) that retrieves this information, e.g., from a broker orconfiguration file.

According to one embodiment, once the IP address or the hostname of theremote system has been acquired via the user, a connection broker, or aconfiguration file, the software (running on the zero client transcodingprocessing unit and/or the communications processing unit) maycommunicate with the VPN software (executing on the communicationsprocessing unit), e.g., over a an internal network, e.g., an RJ-45network in the zero client device. In one embodiment, a small softwareagent running on the communications processing unit may listen for suchcommunications. The message sent from the software running (or otherwiseimplemented) on the zero client transcoding processing unit may indicateto the software agent running on the communications processing unit thatit should invoke a VPN session with a pre-configured host, e.g., whichmay also be referred to as a VPN concentrator.

In the event that a pre-configured VPN host is not available, thesoftware running on the zero client transcoding processing unit (or thecommunications processing unit) may alternatively provide to thesoftware agent running on the communications processing unit (hostingthe VPN software) the name of the VPN host to connect to.

Once the name or IP address of the VPN host has been obtained, the agentrunning on the communications processing unit may instantiate a VPNconnection. This VPN connection may allow all devices connected to thecommunications processing unit, such as, for example, the transcodingprocessing unit, to obtain network visibility to all systems andnetwork(s) to which the VPN host provides access.

Once such network visibility is obtained, the software running on thezero client transcoding processing unit may instruct the communicationsprocessing unit to instantiate a zero client connection (remotingprotocol connection) to the specified host.

The novel combination of components (including software) and thesoftware-enabled workflow described above thus allows an end user of thezero client to simply provide credentials or a remote hostname, whichmay result in the underlying triggering of a set of processes which(optionally) retrieves the hostname from a connection broker,instantiates a VPN connection to a pre-configured host or to a hostexplicitly specified by the end-user, and subsequently instantiates azero client session with the selected remote host without any furtheruser involvement.

The following describes various further exemplary embodiments of thezero client device.

In one embodiment, the communications processing unit may be configuredto forward a copy of all data associated with the VPN session to asecondary remote server whose address is pre-configured by the user inconfiguration settings of the communications processing unit.

In a further embodiment, the communications processing unit may befurther configured to execute Wide Area Network (WAN) optimizationsoftware to optimize remote communications in the VPN session.

In one embodiment, the communications processing unit may be configuredto report on the usage and connection statistics associated with the VPNsession to a secondary remote server whose address is pre-configured bythe user in configuration settings of the communications processingunit. For example, the usage and connection statistics may include oneor more of: whether and when the zero client device is connected or not,data transmission rates, data transmission amounts, time of connection,or connection destination, among others.

FIG. 2—Integration of Network Authentication Capability into a ZeroClient Device

FIG. 2 illustrates integration of network authentication (e.g., 802.1x)capability into a zero client device, according to one embodiment. Asnoted above, the communications processing unit of the client system mayimplement network communications functionality. In one embodiment, thecommunications processing unit may implement an 802.1x communicationsprotocol in software, as indicated in FIG. 2. Note that in FIG. 2 andothers of the Figures, elements in common with previously describedembodiments, e.g., the embodiments of FIG. 1, and described with respectto those embodiments, may not be described unless further detail isprovided for brevity, e.g., the display, keyboard, mouse, and serialI/O, etc.

IEEE 802.1x is an IEEE standard for port-based network access control.Part of the IEEE 802.1 set of networking protocols, 802.1x provides anauthentication mechanism for devices requiring connection to a network,such as a LAN (Local Area Network) or a WLAN (wireless LAN), possiblyover a WAN, such as the Internet. Thus, in some embodiments, thecommunications processing unit may provide network communicationsfunctionality with authentication for the zero client system.

More specifically, as FIG. 2 shows, in one exemplary embodiment, thezero client device may include a housing, a transcoding processing unit,included in the housing, and a communications processing unit, includedin the housing and coupled to the transcoding processing unit, where thecommunications processing unit includes software implementing an 802.1xprotocol for network authentication functionality. The zero clientdevice may have no user-modifiable storage medium.

The communications processing unit may be configured to connect to anetwork using the 802.1x protocol, determine an identifier of a serverto which connection is desired, and provide a network communicationchannel to the transcoding processing unit for accessing the server.

The transcoding processing unit may be configured to instantiate thezero client session with the server through the network communicationchannel provided by the communications processing unit, then receiveinput data from one or more human interface devices, encode the inputdata, and provide the encoded input data to the communicationsprocessing unit for transmission over the network to the server via thezero client session.

The communications processing unit may be further configured to receivethe encoded input data from the transcoding processing unit, transmitthe encoded input data over the network to the server via the zeroclient session, receive output data from the server over the network viathe zero client session, and send the output data to the transcodingprocessing unit, which may be further configured to receive the outputdata from the communications processing unit, decode the output data,and send the decoded output data to at least one of the one or morehuman interface devices.

In another exemplary embodiment, the communications processing unit maybe configured to execute both VPN software and 802.1x authenticationsoftware to provide network communication and authenticationcapabilities. Thus, for example, the communications processing unit mayfurther include VPN software for securely connecting to the server overthe network, and may be configured to instantiate a VPN session with theserver via the VPN software, where the VPN session enablescommunications between components or devices connected to thecommunications processing unit and any systems or networks to which theserver provides access.

It should be noted, however, that in other embodiments, thecommunications processing unit of the client system may implement othertypes of network communication and/or authentication protocols, asdesired.

In some embodiments, communications over the network communicationchannel may be encrypted and/or compressed. Any encryption or datacompression schemes may be used as desired. In one embodiment, thecommunications processing unit may be further configured to execute WideArea Network (WAN) optimization software to optimize remotecommunications over the network communication channel.

As noted above, the novel utility of the present approach is due notonly to the particular combination of components used (i.e., devices andsoftware, including, for example, VPN, 802.1x components), but also tothe software-implemented workflow, described above, which in oneembodiment presents a single login screen to the end user and thentriggers a set of workflows which a) causes the VPN connection to beinstantiated, b) uses the provided credentials for 802.1xauthentication, and c) upon the successful automated instantiation of aVPN connection and the completion of 802.1x authentication, invokes azero client session with a specified host.

FIG. 3—Integration of Wireless Capability into a Zero Client Device

In some of the embodiments described above, the zero client system(device) may be coupled to a network via wired means. For example, theASIC or FPGA (or processor) of the zero client device or system may havea wired network interface. However, in some embodiments, wirelesscapability may be integrated into the client. An exemplary embodiment ofsuch a system is illustrated in FIG. 3.

As may be seen, the system of FIG. 3 is somewhat similar to that of FIG.1, where the (zero) client couples to various human interface devices,e.g., display/monitor, keyboard, mouse, serial I/O (i.e., serialdevice(s)), etc., and further couples to a host computer or VM over anetwork. Also common with embodiments of FIG. 1, the zero client deviceor system of FIG. 3 may include a housing, and a transcoding processingunit, included in the housing and implemented on a first circuit board.Note that the first circuit board does not implement wirelesscommunication functionality. The zero client device or system may alsoinclude a communications processing unit, included in the housing,implemented on a second circuit board, and coupled to the transcodingprocessing unit.

Now, in the embodiment of FIG. 3 the zero client device may also includea wireless communications module, included in the housing and switchablycoupled to the transcoding processing unit and the communicationsprocessing unit. Note that, being a zero client device, the zero clientdevice does not include a user-modifiable storage medium.

In some embodiments, the communications processing unit may beconfigured to receive an identifier for a wireless network to whichconnection is desired, configure the wireless communications module toconnect to the wireless network, and switch the wireless communicationsmodule to connect to the transcoding processing unit. The transcodingprocessing unit may in turn be configured to receive an identifier for aserver accessible via the wireless network, and instantiate a zeroclient session with the server over the wireless network. Thetranscoding processing unit may be further configured to receive inputdata from one or more human interface devices, encode the input data,and provide the encoded input data to the communications processing unitfor transmission over the wireless network to the server via the zeroclient session.

The wireless communication module may be configured to receive theencoded input data from the transcoding processing unit, and transmitthe encoded input data over the wireless network to the server via thezero client session. Moreover, the wireless communication module may befurther configured to receive output data from the server over thewireless network via the zero client session, and send the output datato the transcoding processing unit.

Accordingly, the transcoding processing unit may be further configuredto receive the output data from the wireless communications module,decode the output data, and send the decoded output data to at least oneof the one or more human interface devices. Thus, the zero client devicemay facilitate or implement communications with a server via wirelessmeans.

In the exemplary embodiment shown, the wireless module is or includes anEthernet-Wireless bridge device which typically has an RJ-45 connectionand implements DHCP/gateway/wireless client capabilities so that adevice paired with the bridge device via its wired LAN (RJ-45)connection can obtain an IP address and connect to the wireless networkto which the bridge is connected.

However, note that in order to use such a bridge device, which istypically made for media or gaming applications (e.g., connecting a SonyPlayStation 2™ (PS2) game console wirelessly), appropriate wirelessnetwork settings must be configured. These bridge devices have typicallyrequired a computer system with a browser to connect to their wiredRJ-45 port and access their configuration interface via a web browser.It may be inconvenient, and in many instances, impossible, for each zeroclient to be configured in such a laborious way, i.e., requiring acomputer system (such as a personal computer or workstation) to firstconnect to it, and then to configure it.

However, via embodiments of the system shown in FIG. 3, the user may beallowed to simply and easily configure the wireless module, e.g., thewireless bridge, without requiring any additional computer equipment. Inone embodiment, this may be accomplished by means of an RJ-45 changeoverswitch (or functional equivalents) which can optionally and momentarilyconnect the communications processing unit with the wireless bridgedevice. When this connection occurs, the communications processing unitmay obtain an IP address from the wireless bridge and communicate withthe bridge via IP.

The communications processing unit (or alternatively, the transcodingprocessing unit) may execute an embedded browser and may be configuredto display a user interface on the display/monitor attached to theclient. The user may then provide configuration parameters via this userinterface (displayed on the monitor), which may then be obtained by thecommunications processing unit, which may commit them to the wirelessbridge, thereby configuring the bridge. The RJ-45 changeover switch maythen be switched back to the transcoding processing unit, e.g., theFPGA/decode-processor/ASIC. With the newly configured wirelessparameters, the bridge may then be able to establish a wirelessconnection and the transcoding processing unit may simply operate as ifit were connected to a wired network.

Alternatively, in another embodiment, Wi-Fi (wireless) settings may beconfigured by means of a script executing on the communicationsprocessing unit (or the transcoding processing unit), which may automatethe configuration process described above. Wi-Fi devices are oftenconfigured via an HTML based configuration web page, where a human useraccesses the page with a browser and manually configures the device.Typically, HTML based configuration web pages of Wi-FI devices do notexpose an API with which a script or program can interface, as most HTMLbased configuration web pages are designed for manual human interaction.

In contrast, in some embodiments of the present device and techniques,HTML screen scraping techniques may be used to automatically login to anHTML web configuration page and populate appropriate HTML form fields toadvance or implement the workflow(s) in the configuration page until thegoal of the modification of the Wi-Fi settings has been achieved. Thus,in some embodiments, instead of interactively obtaining the input(specifying the Wi-Fi settings or parameters) from a human user, thecommunications processing unit may obtain the input from a remotenetwork source, such as a management server that dispenses configurationinformation to multiple clients, or a wireless smart-phone (or othermobile networked device) running a configuration interface used by asystem administrator on the road, or any other configuration parametersource(s).

In other embodiments, the wireless bridge may comprise a cellulardevice, e.g., a a 3G or 4G cellular data device. There are numerous waysthis functionality may be implemented. For example, in one exemplaryembodiment, the device may provide native RJ-45 port to bridge wirelessaccess to a connected device. Alternatively, the device may be orinclude a USB/PCI or other plugin that requires a driver and networkstack running on a processor in order to function. In embodiments wherethe device is a USB/PCI or other non-standalone device, such a cellularperipheral may be integrated with either the communications processingunit, or a secondary processor (or more generically, a secondaryprocessing unit) which runs a network stack inclusive of the cellularperipheral driver, a DHCP server, gateway software and a full TCP/IPstack.

In one embodiment, the wireless communications module may furtherinclude Virtual Private Network (VPN) software (or other implementation)for securely connecting to the server over the wireless network.Accordingly, the wireless communications module may be furtherconfigured to instantiate a VPN session with the server via the VPNsoftware, where the VPN session enables communications betweencomponents or devices connected to the communications processing unitand any systems or networks to which the server provides access.

In some embodiments, the wireless communications module may includemultiple wireless transponders that implement channel bonding or linkaggregation to increase available throughput.

In one embodiment, the communications processing unit is configured tomaintain a white list of allowed wireless access points or networks withwhich the wireless communications module may connect. The communicationsprocessing unit may be further configured to disable or disconnect thewireless module in response to determining that the wirelesscommunications module has attempted to establish a connection with adisallowed access point or network.

There are a variety of ways the zero client device can acquire thewireless network and server identifiers. For example, in one embodiment,the communications processing unit may be configured to receive userinput indicating the identifier for the wireless network via a browserexecuting on the communications processing unit. In another embodiment,the communications processing unit may be configured to retrieve theidentifier for the wireless network from a configuration file or even aremote configuration server (or other remote device). In a furtherembodiment, the communications processing unit may be configured tosearch or otherwise perform a discovery process to determine accessiblewireless networks, and to select the wireless network based on specifiedcriteria.

In some embodiments, to receive an identifier for a server, thetranscoding processing unit may be configured to obtain the identifierfor the server from a remote source via the wireless network, e.g., viaa cellular device, or from a configuration server, among others.

Thus, in some embodiments, the client system may support wirelessconnectivity, and may also provide a ready means for configuring thisconnectivity without recourse to a separate computing system.

FIG. 4—Assignment of Unique IP Address to a Zero Client Device based onMAC Address

FIG. 4 illustrates assignment of an IP address to a zero client devicebased on a MAC address, according to one embodiment.

In various embodiments, different schemes may be implemented to assign anetwork address to the zero client system, e.g., an IP address, asdesired. Standard approaches to address assignment include the standardDHCP address assignment methodology, and the alternative fixed IPassignment methodology. One or both of these standard approaches may bemodified to provide unique benefits to the client system.

In one embodiment, a specific IP address may be assigned to thetranscoding processing unit based on its MAC (Media Access Control)address. An advantage of this scheme is that it allows for unique IPaddresses across distributed environments, as MAC addresses for eachdevice are unique. A benefit of having such unique IP addresses acrossdistributed environments is that when the client establishes a VPN orsecure tunnel connection back to a resource center, e.g., a cloud,server farm, datacenter, etc., each client is guaranteed to have aunique IP address.

The IP addresses assigned can be associated with a MAC address and neverchanged, i.e., the IP address may be statically bound to the transcodingprocessing unit, or, alternatively, may be dynamically bound to thetranscoding processing unit based on a MAC address to IP address bindingobtained from a set of MAC address to IP address bindings stored on oneor more server computers, e.g., may be obtained from a list maintainedon a centralized server (or servers) which provides MAC address to IPbindings. Thus, the assigned addresses may be permanent or dynamic.

As shown in FIG. 4, in one exemplary embodiment, the zero client devicemay include a housing, and a transcoding processing unit, included inthe housing and implemented on a first circuit board. The transcodingprocessing unit may include (e.g., store) a Media Access Control (MAC)address, and an Internet Protocol (IP) address based on the MAC address,where the IP address is useable by the transcoding processing unit tocommunicate with devices over networks. The zero client device may alsoinclude a communications processing unit, included in the housing,implemented on a second circuit board, and coupled to the transcodingprocessing unit. As noted above, the zero client device may have nouser-modifiable storage medium.

In some embodiments, the communications processing unit may beconfigured to determine an identifier of a server to which connection isdesired, and query a remote database against the MAC address of thecoupled transcoding processing unit. The communications processing unitmay be configured to obtain an IP address to assign to the transcodingprocessing unit from the remote database based on the MAC address, andassign the obtained IP address to the transcoding processing unit by:acting as a DHCP (Dynamic Host Control Protocol) server, or using amanagement application programming interface (API) of the transcodingprocessing unit to set its static IP address to the obtained IP address.The communications processing unit may be further configured to providea network communication channel to the transcoding processing unit foraccessing the server.

Accordingly, the transcoding processing unit may be configured toinstantiate the zero client session with the server through the networkcommunication channel provided by the communications processing unit.Moreover, the transcoding processing unit may be further configured toreceive input data from one or more human interface devices, encode theinput data, and provide the encoded input data to the communicationsprocessing unit for transmission over the network to the server via thezero client session.

The communications processing unit may be configured to receive theencoded input data from the transcoding processing unit, transmit theencoded input data over the network to the server via the zero clientsession, receive output data from the server over the network via thezero client session, and send the output data to the transcodingprocessing unit. Accordingly, the transcoding processing unit may befurther configured to receive the output data from the communicationsprocessing unit, decode the output data, and send the decoded outputdata to at least one of the one or more human interface devices.

In some embodiments, the communications processing unit may includeVirtual Private Network (VPN) software for securely connecting to theserver over the network, and may be further configured to instantiate aVPN session with the server via the VPN software. The VPN session mayenable communications between components or devices connected to thecommunications processing unit and any systems or networks to which theserver provides access.

Thus, embodiments of the above zero client device may utlize a MACaddress to communicate with a server over a network.

FIG. 5—Integration of One or More Serial or Parallel Ports into a ZeroClient Device

FIG. 5 illustrates integration of one or more serial or parallel portsinto a zero client device, according to one embodiment.

In some embodiments, the zero client device's transcoding processingunit supports peripheral remoting via a single, e.g., serial,communication protocol, e.g., the USB protocol only, and thus may onlyprovide a port (or ports) for that protocol, e.g., one or more USBports. In other embodiments, as indicated in FIG. 5, one or moreconverters may be integrated into the client's housing to convertbetween this (e.g., serial) protocol and other protocols, where theconverters may be coupled to the one or more USB ports of thetranscoding processing unit. For example, the one or more converters maybe or include USB converters for converting between USB and RS-232 orRS-485 communication protocols, between USB protocol and a parallelcommunication protocol, or any other type of protocol converter.Moreover, in some embodiments, multiple converters may be utilized, andthus, combinations of converters may be used to support client systemcommunications with a wide variety of peripherals and protocols.

In one embodiment, the transcoding processing unit may be connected tothe one or more protocol converters via a secondary or auxiliarycommunication channel that may be used to implement one or more of a)power management for the one or more converters, b) gatheringperformance metrics from the one or more converters, and/or c)management and configuration of the one or more converters.

In one particular exemplary embodiment, represented in FIG. 5, the zeroclient device may include a housing, and a transcoding processing unitincluded in the housing and implemented on a first circuit board, wherethe transcoding processing unit includes at least one USB port. The zeroclient device may further include one or more converters included in thehousing and coupled to the USB port of the transcoding processing unitto facilitate communications between the transcoding processing unit anda corresponding one or more non-USB peripheral devices. Each converterof the one or more converters may be configured to convert between USBprotocol and a respective one of an RS-232 communication protocol, anRS-485 communication protocol, or a parallel communication protocol,among others. As FIG. 5 shows the transcoding processing unit may alsobe configured to couple to one or more human interface devices, e.g., adisplay, keyboard, mouse, etc., as desired.

The zero client device may further include a communications processingunit, included in the housing, implemented on a second circuit board,and coupled to the transcoding processing unit. The zero client devicemay have no user-modifiable storage medium.

The communications processing unit may be configured to determine anidentifier of a server to which connection is desired, and provide anetwork communication channel to the transcoding processing unit foraccessing the server. The transcoding processing unit may be configuredto instantiate a zero client session with the server through the networkcommunication channel provided by the communications processing unit,then receive first input data from one or more human interface devices,receive second input data from at least one non-USB peripheral devicevia at least one of the one or more converters, encode the first andsecond input data, thereby generating encoded input data, and providethe encoded input data to the communications processing unit fortransmission over the network to the server via the zero client session.

Now, the communications processing unit may be configured to receive theencoded input data from the transcoding processing unit, and transmitthe encoded input data over the network to the server via the zeroclient session.

Conversely, the communications processing unit may be further configuredto receive first and second output data from the server over the networkvia the zero client session, and send the first and second output datato the transcoding processing unit, which may be further configured toreceive the first and second output data from the communicationsprocessing unit, decode the first and second output data, therebygenerating corresponding first and second decoded data. The transcodingprocessing unit may be further configured to send the first decodedoutput data to at least one of the one or more human interface devices,and send the second decoded data to the at least one non-USB peripheraldevice via at least one of the one or more converters.

In some embodiments, the communications processing unit may includeVirtual Private Network (VPN) software for securely connecting to theserver over the network, and may be further configured to instantiate aVPN session with the server via the VPN software. The VPN session mayenable communications between components or devices connected to thecommunications processing unit and any systems or networks to which theserver provides access.

In some embodiments, communications over the network communicationchannel may be encrypted and/or compressed. Any encryption or datacompression schemes may be used as desired. In one embodiment, thecommunications processing unit may be further configured to execute WideArea Network (WAN) optimization software to optimize remotecommunications over the network communication channel.

In a further embodiment, the communications processing unit may befurther configured to identify packets transmitted over the networkcommunication channel that are associated with a specified converter. Inother words, the communications processing unit may be able to determinewhich converters are associated with which communication packets. Thecommunications processing unit may then present various options to theuser that take advantage of this functionality. For example, in someembodiments, the communications processing unit may be configured to, inresponse to user input, log communications related to the specifiedconverter, forward communications related to the specified converter toa remote server whose address has been user configured in configurationsettings of the communications processing unit, prevent forwarding ofpackets over the network communication channel related to the specifiedconverter, or accelerate or prioritize transmission of packets on theout-of-band USB session, related to the specified converter, among otheractions.

FIG. 6—USB Bandwidth Augmentation and Support for Out-Of-Band USBCapabilities in a Zero Client Device

As discussed above, in some embodiments, the zero client device may havea single network interface by which it may connect to the network. Thisinterface may be configured to deliver display (video), audio, andkeyboard/mouse input/output, as well as all peripheral traffic, by meansof a single protocol, e.g., the TCP/IP protocol. In some embodiments, anout-of-band technique may be utilized to enhance USB throughputcapabilities delivered by a client. In some embodiments, the zero clientdevice may include one or more additional USB ports (or ports supportingother protocols) which are out-of-band, where “out-of-band” means thatthe communications occur outside the normal zero client session for thedevice. Moreover, a software based USB remoting protocol may be used toimplement a software USB redirection channel.

FIG. 6 illustrates an exemplary embodiment of a zero client system ordevice with USB bandwidth augmentation and support for out-of-bandcapabilities, e.g., out-of-band USB functionality, e.g., including USB2.0 and/or USB 3.0 based functionality. It should be noted that whilevarious of the features described herein are presented in terms of theUSB communication protocol, in other embodiments any other serial busprotocol(s) may be used as desired.

As may be seen, in the embodiment shown, the transcoding processingunit, which may be implemented on a first circuit board, may include atleast one USB port and may support peripheral remoting via USB protocol.

The zero client's communications processing unit, which may beimplemented on a second circuit board, and which is coupled to thetranscoding processing unit, may be configured to implement (execute) asoftware based USB remoting protocol that supplements the at least oneUSB port of the transcoding processing unit. To supplement the at leastone USB port of the transcoding processing unit, the communicationsprocessing unit may implement one or more USB ports for out-of-bandcommunications implementing a supplemental peripheral communicationchannel.

The zero client device may further include an uplink network connection,also included in the housing, and included in or coupled to thecommunications processing unit for connecting to a network.

The communications processing unit may be configured to determine anidentifier of a server to which connection is desired (e.g., a remotehost computer, a remote virtual machine, or any other type of server),instantiate an out-of-band session with the server to provide forsupplemental peripheral communication, and provide a networkcommunication channel to the transcoding processing unit for accessingthe server. More generally, the communications processing unit mayascertain connection information for connecting the zero client deviceto a resource over a network, and provide this information to thetranscoding processing unit. The communications processing unit may befurther configured to establish an out-of-band USB session forcommunications between the server and the communications processingunit, and between the server and peripheral devices connected to the oneor more USB ports for out-of-band communications. In other words, anextra or auxiliary (out-of-band) USB (or other serial bus) session maybe provided (established) for communications between the server andperipheral devices on the out-of-band USB ports via the communicationsprocessing unit.

The transcoding processing unit may be configured to instantiate a zeroclient session with the server through the network communication channelprovided by the communications processing unit, after which thetranscoding processing unit may (be operable to) receive first inputdata from one or more human interface devices, encode the input data,thereby generating encoded input data, and provide the encoded inputdata to the communications processing unit for transmission over thenetwork to the server via the zero client session.

Accordingly, the communications processing unit may be configured toreceive the encoded input data from the transcoding processing unit, andto receive second input data from one or more USB peripheral devices viathe (additional) one or more USB ports. The communications processingunit may be further configured to transmit the encoded input data andthe second input data over the network to the server via the zero clientsession.

The communications processing unit may be further configured to receivefirst output data from the server over the network via the zero clientsession, receive second output data from the server over the network viathe out-of-band USB session, send the first output data to thetranscoding processing unit, and send the second output data to the oneor more USB peripheral devices via the one or more USB ports.

The transcoding processing unit may be further configured to receive thefirst output data from the communications processing unit, decode thefirst output data, thereby generating decoded output data, and send thedecoded output data to at least one of the one or more human interfacedevices.

Thus, in the embodiment of FIG. 6, the communications processing unit isconfigured to execute USB remoting software which supplements the USBremoting capabilities of the transcoding processing unit. There areseveral novel techniques that may be used to implement thisarchitecture.

For example, in one embodiment, the presence of additional USB ports mayact as a supplemental peripheral communication channel (or channels) tothe USB ports connected via the transcoding processing unit. As anotherexample, USB remoting software may be integrated on the communicationsprocessing unit, which is paired with the transcoding processing unitimplementing a zero (or cloud) client protocol. In some embodiments,this supplemental communication channel may be referred to as a softwareUSB redirection (or auxiliary) channel.

In another embodiment, two uplink network connections may be provided ona single zero client device, where one connection is dedicatedprincipally to peripheral communication (e.g., USB remoting), and theother for communication with the server or cloud. For example, thecommunications processing unit may include two uplink networkconnections, including a first uplink network connection (included inthe housing) for in-band network communications for the transcodingprocessing unit, and a second uplink network connection (also includedin the housing) for out-of-band network communications via the softwarebased USB remoting protocol.

In a variation of the above two-uplink-based embodiment, an optionalswitch may be integrated that combines the two uplinks into a singleuplink. This switch may be of any speed, but preferentially implements 1Gbps or 10 Gbps (or higher) connectivity to allow for sufficientbandwidth to support peripheral traffic acceleration via the out-of-bandchannel described above.

In a further embodiment, USB 3.0 redirection may be implemented byintegrating a USB 3.0 host controller with the communications processingunit, and allowing redirection to occur over the software USBredirection channel. Note that even if the zero client protocol anddecode processing unit does not support USB 3.0, this technique mayallow the end-user to utilize USB 3.0 devices at higher data rates.

In one embodiment, the zero client device may communicate with theserver via a zero client protocol that does not support USB 3.0, andwhere the transcoding processing unit does not support USB 3.0. In thiscase, the communications processing unit may further include a USB 3.0host controller that implements out-of-band redirection via the softwarebased USB remoting protocol, thereby facilitating high-speed out-of-bandcommunications with USB 3.0 compliant peripheral devices.

In yet another embodiment, a software stack may be executed on thecommunications processing unit, and may detect which remote host or VMthe transcoding processing unit is connected to. Upon detection, theout-of-band USB session with the same host may be initiated using theUSB redirection software running on the communications processing unit.

In some embodiments, the one or more ports for out-of-bandcommunications may include one or more of: one or more audio ports orone or more video ports. In one exemplary embodiment, the one or moreports for out-of-band communications may include one or more Thunderboltports.

In one embodiment, the zero client device may communicate with theserver via a zero client protocol that does not supportThunderbolt/LightPeak (i.e., LightPeak, or the Thunderboltimplementation of LightPeak), and where the transcoding processing unitdoes not support Thunderbolt/LightPeak. Accordingly, in someembodiments, the communications processing unit may further include aThunderbolt/LightPeak host controller that implements out-of-bandredirection via a software based Thunderbolt/LightPeak remotingprotocol, thereby facilitating high-speed out-of-band communicationswith Thunderbolt/LightPeak compliant peripheral devices.

In another embodiment, the communications processing unit may include orbe coupled to one or more converters configured to convert between USBprotocol and a respective one or more other communication protocols. Theone or more ports for out-of-band communications may support out-of-bandcommunications using the respective one or more other communicationprotocols.

In one embodiment, the zero client device may further include a switch,also included in the housing, where the switch is included in or coupledto the communications processing unit, and is further coupled to theuplink network connection. The switch may be configured to switchbetween in-band network communications for the transcoding processingunit, and out-of-band network communications via the software based USBremoting protocol. The switch may also support sufficient bandwidth tosupport peripheral traffic acceleration via the supplemental peripheralcommunication channel.

In one embodiment, the communications processing unit may be furtherconfigured to execute a software stack to detect which server the zeroclient device is connected to, and upon detection, initiate theout-of-band USB session with the server via the software based USBremoting protocol.

In some embodiments, the communications processing unit may includeVirtual Private Network (VPN) software for securely connecting to theserver over the network, and may be further configured to instantiate aVPN session with the server via the VPN software. The VPN session mayenable communications between components or devices connected to thecommunications processing unit and any systems or networks to which theserver provides access.

In some embodiments, communications over the out-of-band USB session maybe encrypted and/or compressed. Any encryption or data compressionschemes may be used as desired. In one embodiment, the communicationsprocessing unit may be further configured to execute Wide Area Network(WAN) optimization software to optimize remote communications in theout-of-band USB session.

In a further embodiment, the communications processing unit may befurther configured to identify packets associated with a specified USBdevice. In other words, the communications processing unit may be ableto determine which USB devices are associated with which communicationpackets, e.g., as senders or receivers of the packets. Thecommunications processing unit may then present various options to theuser that take advantage of this functionality. For example, in someembodiments, the communications processing unit may be configured to, inresponse to user input, log communications related to the specified USBdevice, forward communications related to the specified USB device to aremote server whose address has been user configured in configurationsettings of the communications processing unit, prevent forwarding ofpackets on the out-of-band USB session related to the specified USBdevice, or accelerate or prioritize transmission of packets on theout-of-band USB session, related to the specified USB device, amongother actions.

Note that in various embodiments, any combination of the above featuresmay be used as desired. More generally, any of the features describedherein regarding any of the zero client device embodiments may be usedin any combinations desired, as noted above.

FIG. 7—Integration of Multiple USB-Based Display Adaptors, USB RemotingHardware, and I/O Devices with a Zero Client to Extend DisplayCapabilities

A zero (or cloud) client typically drives between 1 and 4 monitors. Nosolution presently available can drive more than 4 monitors from asingle zero client. Thus, in some embodiments, multiple display (i.e.,video) adaptors may be employed in or by the client system to provide asolution that may be scaled arbitrarily to drive a large number ofmonitors from a single client device.

FIG. 7 illustrates an exemplary embodiment of such a zero client systemor device, where multiple display adaptors, remoting hardware, and I/Odevices are integrated with a zero client device to extend displaycapabilities. As with the system of FIG. 6, the zero client device ofFIG. 7 may include a housing, an uplink network connection comprised inthe housing and configured for connecting to devices over a network, andan optional communications processing unit, included in the housing andcoupled to the uplink network connection, where the communicationsprocessing unit is implemented on a first circuit board. The system(device) may also include a transcoding processing unit, included in thehousing and coupled to the communications processing unit, where thetranscoding processing unit is implemented on a second circuit board.Note that in this embodiment, the second circuit board does not includeonboard USB-based display adaptors, and the transcoding processing unitis configured to drive a first display and communicate with one or moreuser interface devices via a zero client protocol. The zero clientdevice may also include one or more out-of-band USB extenders (or othertypes of out-of-band serial extenders) coupled to the communicationsprocessing unit.

As FIG. 7 also shows, in this embodiment, the zero client system(device) may include one or more USB video adaptors (or other types ofserial video adaptors), coupled to at least one of the one or moreout-of-band USB extenders, where each USB video adaptor may beconfigured to drive a respective additional display. In other words, thesystem may include additional display adaptors, e.g., USB VGA adaptorsper FIG. 7, each of which may drive one or more additional displays(monitors). Note that in the embodiment shown, these additional monitorsare not driven by the transcoding processing unit. Rather, each videoadaptor receives video or display signals from one of the aboveout-of-band USB extenders integrated into the zero client device. Inthis particular embodiment, each of two USB extenders supports twodisplay adaptors, although in other embodiments, the ratio ofout-of-band USB extenders to display adaptors may differ. Similarly,other protocols/extenders besides USB may be employed as desired.However, it should be noted that in other embodiments, the transcodingprocessing unit may be further configured to drive one or moreadditional displays.

It should be further noted that in various embodiments, the out-of-bandUSB extenders and/or the video adaptors may be implemented and/orcoupled in any of a variety of ways. For example, in one embodiment, oneor more of the out-of-band USB extenders and/or one or more of the videoadaptors may be implemented on the first circuit board with thecommunications processing unit. In another embodiment, one or more ofthe out-of-band USB extenders and/or one or more of the video adaptorsmay be implemented on the same circuit board (but distinct from thefirst circuit board). Any other implementations may be utilized asdesired. Note that in the embodiment of FIG. 7, the communicationsprocessing unit is communicatively coupled to both the out-of-bandextenders and the video adaptors.

The following describes exemplary communications by the zero clientdevice with a server via the communications and transcoding processingunits.

In some embodiments, the communications processing unit may beconfigured to determine an identifier of a server to which connection isdesired, instantiate a USB (or other serial protocol/bus) extensionsession between the one or more out-of-band USB extenders and theserver, and provide a network communication channel to the transcodingprocessing unit for accessing the server. Accordingly, the transcodingprocessing unit may be configured to instantiate a zero client sessionwith the server through the network communication channel provided bythe communications processing unit. Note that the zero client session isdistinct (different) from the USB extension session, although in someembodiments, both sessions may utilize the uplink network connection,e.g., the same physical network connection.

The transcoding processing unit may be further configured to receiveinput data from one or more human interface devices, encode the inputdata, and provide the encoded input data to the communicationsprocessing unit for transmission over the network to the server. Thecommunications processing unit may be configured to receive the encodedinput data from the transcoding processing unit, and transmit theencoded input data over the network to the server via the zero clientsession. Conversely, the communications processing unit may also beconfigured to receive output data from the server over the network viathe zero client session, and send the output data to the transcodingprocessing unit. The transcoding processing unit may accordingly befurther configured to receive the output data from the communicationsprocessing unit, decode the output data, and send the decoded outputdata to at least one of the one or more human interface devices.

Note that the one or more out-of-band USB extenders may be configured toprovide video communications between the USB video adaptors and theserver via the USB extension session through the communicationsprocessing unit. In other words, in addition to communicating with theserver via the zero client session, the zero client device may furtherprovide for out-of-band video communications with the server via the USBextenders, e.g., for extended or auxiliary display functionality.

In one embodiment, the communications processing unit may includeVirtual Private Network (VPN) software for securely connecting to theserver over the network, and may be further configured to instantiate aVPN session with the server via the VPN software, where the VPN sessionenables communications between components or devices connected to thecommunications processing unit and any systems or networks to which theserver provides access.

In addition to the extra display adaptors and out-of-band USB extenders,the exemplary embodiment shown in FIG. 7 also includes an optionalswitch interposed between the optional communications processing unit(e.g., running VPN software) and the network. This switch may beconfigured to aggregate client data traffic and connect to the networkvia a single uplink, similar to that described above.

Thus, in one embodiment, the client system or device may comprise acombination of out-of-band USB extenders, USB VGA adaptors, an optionalswitch for IP uplink consolidation, an optional communicationsprocessing unit, and a transcoding processing unit responsible fordecoding a zero (or cloud) client protocol.

In some embodiments, the communications processing unit may implementone or more ports for out-of-band communications, thereby implementingone or more supplemental peripheral communication channels. The one ormore supplemental peripheral communication channels may be configured toprovide USB remote redirection for USB peripherals coupled to the zeroclient device.

In one embodiment, software that runs on the communications processingunit may detect the IP address or hostname of the (remote) server (e.g.,host) to which the transcoding processing unit is connecting, and mayinitiate a session between the out-of-band USB extenders and the server.Note that at least two types of USB extenders are contemplated: i) IPbased (i.e., configured to communicate over the network via IPprotocol), and ii) non-IP based, such as RJ-45 based, where the lattermay require a homerun connection and may not traverse IP switches,routers, or hubs. Note that in embodiments using non-IP based extenders,the zero client device may include multiple RJ-45 ports respectivelyconfigured to provide respective homerun connections to the server.

As noted above, in some embodiments, the communications processing unitand/or the uplink switch may be omitted. Thus, for example, in oneembodiment, the transcoding processing unit may include a networkconnection for communicating with a server over a network, and mayprovide USB ports with which devices can be attached, e.g., humaninterface devices such as keyboards or mice, and/or protocol conversiondevices (converters) such as the USB/RS-232 converter described above.

In further embodiments, communications over the USB extension sessionmay be encrypted and/or compressed, as desired.

Moreover, in some embodiments, the communications processing unit may befurther configured to execute Wide Area Network (WAN) optimizationsoftware to optimize remote communications in the USB extension session.

In a further embodiment, the communications processing unit may beconfigured to identify packets associated with a specified USB videoadapter. In other words, the communications processing unit may be ableto determine which USB video adapter are associated with whichcommunication packets, e.g., as senders or receivers of the packets. Thecommunications processing unit may then present various options to theuser that leverage this functionality. For example, in some embodiments,the communications processing unit may be configured to, in response touser input, log communications related to the specified USB videoadapter, forward communications related to the specified USB videoadapter to a remote server whose address has been user configured inconfiguration settings of the communications processing unit, preventforwarding of packets on the out-of-band USB session related to thespecified USB video adapter, or accelerate or prioritize transmission ofpackets on the out-of-band USB session, related to the specified USBvideo adapter, among other actions.

FIG. 8—Integration of Bluetooth Capability into a Zero Client

FIG. 8 illustrates integration of Bluetooth capability into a zeroclient device, according to one embodiment. In some embodiments, thezero client device may integrate Bluetooth capability to allow forBluetooth peripherals, e.g., wireless keyboards, mice, among others, tointerface with the client. As described above, a zero client transcodingprocessing unit does not have a conventional operating system (OS) andthus, may not utilize conventional device drivers. Thus, in someembodiments, a Bluetooth transponder may be connected to thecommunications processing unit, and the communications processing unitmay be configured to run an embedded operating system. A device driverfor the Bluetooth transponder may thus run on top of the OS residing onthe communications processing unit, allowing the connection andenumeration of Bluetooth peripherals, e.g., a Bluetooth keyboard, mouse,or other peripheral, with the communications processing unit.

In one more specific exemplary embodiment, the zero client device mayinclude a housing, a transcoding processing unit, included in thehousing and implemented on a first circuit board, and a communicationsprocessing unit, also included in the housing, implemented on a secondcircuit board, and coupled to the transcoding processing unit. Thecommunications processing unit may be configured to connect to serversover a network. The zero client device may further include a Bluetoothtransponder, which is also included in the housing and coupled to thecommunications processing unit.

The communications processing unit may be configured to run an embeddedoperating system, and may be configured with a device driver for theBluetooth transponder for communications between the Bluetoothtransponder and the embedded operating system. The device driver may beexecutable to provide for connection and enumeration of Bluetoothperipheral devices. As with the above embodiments, the zero clientdevice may have no user-modifiable storage medium.

The communications processing unit may be configured to determine anidentifier of a server to which connection is desired, and provide anetwork communication channel to the transcoding processing unit foraccessing the server, and the transcoding processing unit may beconfigured to instantiate the zero client session with the serverthrough the network communication channel provided by the communicationsprocessing unit.

The transcoding processing unit may be further configured to receivefirst input data from one or more human interface devices, encode thefirst input data, thereby generating encoded input data, and provide theencoded input data to the communications processing unit fortransmission over the network to the server via the zero client session.

The communications processing unit may be configured to receive theencoded input data from the transcoding processing unit, receive secondinput data from one or more Bluetooth peripheral devices via theBluetooth transponder, and transmit the encoded input data and thesecond input data over the network to the server via the zero clientsession.

Conversely, the communications processing unit may be configured toreceive first and second output data from the server over the networkvia the zero client session, send the first output data to thetranscoding processing unit.

The transcoding processing unit may be further configured to receive thefirst output data from the communications processing unit, decode thefirst output data, thereby generating decoded output data, and send thedecoded output data to the communications processing unit, which may befurther configured to receive the decoded output data from thetranscoding processing unit, and send the decoded output data to atleast one of the one or more human interface devices. Moreover, thecommunications processing unit may be further configured to send thesecond output data to at least one of the one or more Bluetoothperipheral devices via the Bluetooth transponder.

Note, however, that keyboard/mouse (or other peripheral) input receivedfrom the communications processing unit may be required to be passed onto the transcoding processing unit. In order to achieve this, akeyboard/mouse/audio emulation device may be provided. Thus, in someembodiments, the zero client device may further include a microprocessorbased keyboard/mouse/audio emulation device, included in the housing,and communicatively interposed between the communications processingunit and peripheral I/O ports of the transcoding processing unit. Theemulation device may function as a communication bridge between thetranscoding processing unit and the communications processing unit, andmay be configured to receive the input data from the communicationsprocessing unit, generate input events corresponding to the input data,and provide the input events to the transcoding processing unit.

In other words, the emulation device may take output generated from thecommunications processing unit, and feed it directly into keyboard,mouse and audio ports of the transcoding processing unit running thezero client protocol. For example, if the “x” key is pressed on aBluetooth keyboard, the Bluetooth transponder may receive theappropriate signal, e.g., custom software running on the communicationsprocessing unit may fetch the input from the keyboard buffer andtransmit a signal to the connected keyboard/mouse/audio emulationdevice. The emulation device may be instructed to generate a key pressevent involving the “x” key. The emulation device accordingly generate asignal/key-press event, which may be picked up by the transcodingprocessing unit via the keyboard input port as if a real keyboard wereconnected.

In some embodiments, the communications processing unit may includeVirtual Private Network (VPN) software for securely connecting to theserver over the network, and may be further configured to instantiate aVPN session with the server via the VPN software. The VPN session mayenable communications between components or devices connected to thecommunications processing unit and any systems or networks to which theserver provides access.

In some embodiments, communications over the network communicationchannel may be encrypted and/or compressed. Any encryption or datacompression schemes may be used as desired. In one embodiment, thecommunications processing unit may be further configured to execute WideArea Network (WAN) optimization software to optimize remotecommunications over the network communication channel.

In a further embodiment, the communications processing unit may befurther configured to identify packets associated with a specifiedBluetooth device. In other words, the communications processing unit maybe able to determine which Bluetooth devices are associated with whichcommunication packets, e.g., as senders or receivers of the packets. Thecommunications processing unit may then present various options to theuser that take advantage of this functionality. For example, in someembodiments, the communications processing unit may be configured to, inresponse to user input, log communications related to the specifiedBluetooth device, forward communications related to the specifiedBluetooth device to a remote server whose address has been userconfigured in configuration settings of the communications processingunit, prevent forwarding of packets for the specified USB device, oraccelerate or prioritize transmission of packets related to thespecified Bluetooth device, among other actions.

FIG. 9—Integration of GPS Capability into a Mobile Zero Client Device

FIG. 9 illustrates integration of Global Positioning System (GPS)capability into a zero client device, according to one embodiment. Morespecifically, in some embodiments, a GPS chip (or module) may beincorporated into the zero client architecture. For example, the GPSchip may be paired with the communications processing unit that is partof the zero client architecture described above. The GPS chip mayprovide location information concerning the client. The GPS coordinateaccess software may execute on the communications processing unit andhence may not require the transcoding processing unit to have an activeconnection to a remote virtual machine or host computer.

In one exemplary embodiment, the zero client device may be a mobile zeroclient device that includes a housing, a transcoding processing unit,included in the housing and implemented on a first circuit board, and acommunications processing unit, also included in the housing,implemented on a second circuit board, and coupled to the transcodingprocessing unit. The communications processing unit may be configured toconnect to devices over a network, and may include a GPS (GlobalPositioning System) chip configured to provide location information ofthe zero client device. Accordingly, the communications processing unitmay be further configured with GPS coordinate access software forcommunicating with the GPS chip. The zero client device may have nouser-modifiable storage medium.

The communications processing unit may be configured to determine anidentifier of a server to which connection is desired, and provide anetwork communication channel to the transcoding processing unit foraccessing the server. The transcoding processing unit may be configuredto instantiate the zero client session with the server through thenetwork communication channel provided by the communications processingunit, then receive input data from one or more human interface devices,encode the input data, and provide the encoded input data to thecommunications processing unit for transmission over the network to theserver via the zero client session.

The communications processing unit may be configured to receive theencoded input data from the transcoding processing unit, transmit theencoded input data over the network to the server via the zero clientsession, receive output data from the server over the network via thezero client session, and send the output data to the transcodingprocessing unit, which may be further configured to receive the outputdata from the communications processing unit, decode the output data,thereby generating decoded output data, and send the decoded output datato at least one of the one or more human interface devices.

The coordinates obtained from the GPS chip can be stored (e.g.,archived) to processor memory of the communications processing unit, andused for any of a variety of purposes. For example, in one embodiment,the communications processing unit may be configured to storecoordinates obtained from the GPS chip to processor memory of thecommunications processing unit for use by the zero client device and foroptional access via a remote management console or other network basedentity, and send coordinates obtained from the GPS chip to a specifiedconnection broker (or other server or service) at a configurabletemporal frequency. To determine the identifier of the server, thecommunications processing unit may be configured to receive a networkaddress of the server from the connection broker based on proximity ofthe server to the zero client device determined via the sentcoordinates.

In another embodiment, the communications processing unit may beconfigured to store coordinates obtained from the GPS chip to processormemory of the communications processing unit for use by the zero clientdevice and for optional access via a remote management console or othernetwork based entity, send coordinates obtained from the GPS chip to apre-configured remote server at a configurable temporal frequency, andeither trigger a shut down of the mobile zero client in response todetecting that the device is outside an authorized area based on thecoordinates obtained from the GPS chip, or trigger destruction of themobile zero client in response to detecting that the device is outsidethe authorized area based on the coordinates obtained from the GPS chip.For example, in one embodiment, destruction of the zero client devicemay simply involve damage to some critical component in the device thatrenders it irreversibly inoperable.

In one embodiment, the communications processing unit may includeVirtual Private Network (VPN) software for securely connecting to theserver over the network, and the communications processing unit may befurther configured to instantiate a VPN session with the server via theVPN software, wherein the VPN session enables communications betweencomponents or devices connected to the communications processing unitand any systems or networks to which the server provides access.

In some embodiments, communications over the network communicationchannel may be encrypted and/or compressed. Any encryption or datacompression schemes may be used as desired. In one embodiment, thecommunications processing unit may be further configured to execute WideArea Network (WAN) optimization software to optimize remotecommunications over the network communication channel.

In a further embodiment, the communications processing unit may befurther configured to automatically modify data transmitted via thenetwork communication channel by changing the protocol type or one ormore connectivity parameters based on the location information of thezero client device provided by the GPS chip. The one or moreconnectivity parameters may include one or more of maximum transmissionunit (MTU), or one or more IP/TCP/UDP stack connection parameters.Examples of IP/TCP/UDP stack connection parameters include, but are notlimited to, tcp_time_wait_interval, tcp_close_wait_interval,tcp_fin_wait_2_flush_interval, tcp_keepalive_interval,tcp_ip_abort_linterval, tcp_rexmit_interval_initial,tcp_rexmit_interval_min, tcp_ip_abort_interval, tcp_ip_abort_linterval,tcp_ip_abort_cinterval, udp_smallest_anon_port, tcp_smallest_anon_port,udp_largest anon_port, tcp_largest anon_port, udp_smallest_nonpriv_port,tcp_smallest_nonpriv_port, tcp_extra_priv_ports_add,udp_extra_priv_ports_add, write-only action, tcp_extra_priv_ports_del,udp_extra_priv_ports_del, write-only action, tcp_extra_priv_ports, andudp_extra_priv_ports, among others.

In some embodiments, the communications processing unit may includeconfiguration settings, including one or more rules specifying locationranges associated with respective connectivity parameters.

Note that the novel functionalities of the above described embodimentsdepend not only on the GPS components (e.g., the GPS chip) within thehousing of the zero client, but also on at least one softwareapplication (or program) which executes (or is implemented) on the zeroclient communications processing unit (or the transcoding processingunit) which reads GPS coordinates from the GPS chip and performs orinvokes one or more actions. For example, in some embodiments, the atleast one program may to a) transmit these coordinates to a centralserver which processes rules that guide the software application'sbehavior and actions, e.g., wipe configuration data, destroy firmware onthe client in the event that the zero client device is removed from asecure facility, and b) transmit these coordinates back to a remote hostto which the zero client is connected. As zero client communicationprotocols may not be designed to carry GPS coordinates or location data,an auxiliary or redirection channel may be established between thesoftware application running on the zero client communicationsprocessing unit and a (e.g., small) agent running on the remote host.The agent running on the remote host may receive the GPS data and insome embodiments may either invoke local processes which process the GPSdata, or cache the GPS data so that applications running on the remotesystem can query the agent for the current position of the zero clientdevice.

FIG. 10—Integration of Multi-Boot Capability to Allow the Use of MoreThan One Zero Client Protocol From the Same Zero Client Device

FIG. 10 illustrates integration of multi-boot capability into a zeroclient device to allow use of multiple zero client protocols from thesame zero client device, according to one embodiment. In one embodiment,the zero client device may include two or more transcoding processingunits, each running a different zero client protocol, such as PCoIP andRemoteFX (or others). The user may be able to select which protocolhe/she wishes to use and the client may initialize the correspondingtranscoding processing unit and connect it to the local peripherals(e.g., keyboard, mouse, USB, audio, etc.) and display, e.g., humaninterface devices.

More specifically, in some exemplary embodiments, the zero client devicemay include a housing, and two or more transcoding processing units,included in the housing, where each of the two or more transcodingprocessing units is implemented on a respective first circuit board(e.g., boards A, B, etc., with one circuit board per transcodingprocessing unit). Each of the two or more transcoding processing unitsmay be configured to execute a respective zero client protocol.

The zero client device may further include a communications processingunit, included in the housing, implemented on a second circuit board,and coupled to the two or more transcoding processing units. Thecommunications processing unit may be configured to connect to devicesover a network. As above, the zero client device may have nouser-modifiable storage medium.

In some embodiments, the zero client device may be configured to receiveuser input selecting a zero client protocol of the two or moretranscoding processing units for operation, select and initialize atranscoding processing unit (of the two or more transcoding processingunits) corresponding to the selected zero client protocol, and establisha connection between the transcoding processing unit and human interfacedevices, including one or more peripheral devices and a display device.

The communications processing unit may be configured to determine anidentifier of a server to which connection is desired, and provide anetwork communication channel to the selected transcoding processingunit for accessing the server. Accordingly, the selected transcodingprocessing unit may be configured to instantiate a zero client sessionwith the server through the network communication channel provided bythe communications processing unit.

Additionally, the selected transcoding processing unit may be furtherconfigured to receive input data from one or more human interfacedevices, encode the input data, and provide the encoded input data tothe communications processing unit for transmission over the network tothe server via the zero client session. The communications processingunit may be configured to receive the encoded input data from theselected transcoding processing unit, transmit the encoded input dataover the network to the server via the zero client session, receiveoutput data from the server over the network via the zero clientsession, andsend the output data to the selected transcoding processingunit, which may be further configured to receive the output data fromthe communications processing unit, decode the output data; and send thedecoded output data to at least one of the one or more human interfacedevices.

Thus, multiple zero client protocols may be supported by respectiveselectable transcoding processing units in one zero client device.

In a further embodiment, a KVM (keyboard/video/mouse) switch may beintegrated within the zero client device, e.g., included in the housing,such that any one of the transcoding processing units may be connectedto the display and peripherals (e.g., human interface devices, etc.),while the other(s) still maintains an open connection with the server orhost and remains fully functional. Thus, the user may switch to otherin-progress zero (or cloud) client protocol connections by exercising adial, switch, or button on a graphical user interface (GUI) for theclient, e.g., on the zero (or cloud) client's front panel, which invokesthe KVM to disconnect from the current transcoding processing unit andinitiate a connection with a different transcoding processing unit,e.g., the next transcoding processing unit in line.

In one embodiment, all circuit boards, cards, etc., present in the zeroclient device may be powered by a single integrated power supply. Inother words, the zero client device may include a single integratedpower supply, included in the housing, and configured to provide powerto the zero client device.

Further, in some embodiments, an optional IP switch may be included inthe client which may be configured to aggregate network connections(uplinks) from each of the two or more transcoding processing unitspresent into a single external connection. This single connection may,for example, be located on the backpanel of the client housing, i.e.,enclosure or case.

Moreover, in some embodiments, one or more other processors may beincluded in the zero client device. For example, one or more x86, ARM orPowerPC systems (circuit or processor system boards) may be includedwithin the same enclosure with the two or more transcoding processingunits running a zero client protocol. These individual systems may allbe interfaced via a KVM switch that can be used to drive the localdisplay and peripherals, and connect them with any of the selectedsystems (circuit or processor system boards). In another embodiment, aphysical front panel, e.g., a graphical color LCD display front panel(or any other display type), may be provided, which may function as auser interface to the KVM switch, and which may provide an indication ofwhich system (e.g., of the decoder processing unit, x86, ARM or PowerPCsystem) the external peripherals (e.g., user interface devices) arecurrently connected to.

In one embodiment, the communications processing unit may includeVirtual Private Network (VPN) software for securely connecting to theserver over the network, and may be further configured to instantiate aVPN session with the server via the VPN software, where the VPN sessionenables communications between components or devices connected to thecommunications processing unit and any systems or networks to which theserver provides access.

In some embodiments, each of the one or more processor system boards maybe configured to connect to and communicate with the human interfacedevices, and each of the two or more transcoding processing units andthe one or more processor system boards may be configured to drive arespective display device coupled to the zero client device.

For example, in one embodiment, two or more of the transcodingprocessing units may be configured to connect to a display capable ofaccepting multiple inputs and providing “Picture in Picture” capability,thereby allowing “Picture in Picture” display for simultaneous zeroclient sessions.

In some embodiments, software based keyboard and mouse sharing may allowthe keyboard and mouse to operate across all displays even though theyare driven by different systems all housed within the client enclosure.Audio output may be multiplexed and fed to a speaker system via a singleline out. Audio input may be aggregated so that a single microphonefeeds all internal boards/systems. In other words, audio inputs to atleast one transcoding processing unit and the one or more processorsystem boards may be aggregated so that a single microphone feeds the atleast one transcoding processing unit and the one or more processorsystem boards.

In some embodiments, communications over the zero client session may beencrypted and/or compressed. Any encryption or data compression schemesmay be used as desired. In one embodiment, the communications processingunit may be further configured to execute Wide Area Network (WAN)optimization software to optimize remote communications in the zeroclient session.

In a further embodiment, the communications processing unit may befurther configured to identify packets associated with a specified zeroclient session. In other words, the communications processing unit maybe able to determine which zero client sessions are associated withwhich communication packets, e.g., as senders or receivers of thepackets. The communications processing unit may then present variousoptions to the user that take advantage of this functionality. Forexample, in some embodiments, the communications processing unit may beconfigured to, in response to user input, log communications related tothe specified zero client session, forward communications related to thespecified zero client session to a remote server whose address has beenuser configured in configuration settings of the communicationsprocessing unit, prevent forwarding of packets for the zero clientsession, or accelerate or prioritize transmission of packets related tothe specified zero client session, among other actions.

FIG. 11—Secure KVM Switching in a Zero Client Device

FIG. 11 illustrates integration of secure KVM (keyboard/video/mouse)switching capability into a zero client device, according to oneembodiment. In some embodiments, a keyboard, video, audio, display, andUSB sharing switch (which may be referred to herein as a KVM and USBswitch (or simply a KVM switch) for convenience) may be provided whichmay allow multiple, e.g., N, computing systems to connect to one or more(e.g., 1 to M) displays, a single keyboard, a single mouse, a single setof speakers, and/or a set of USB ports. Compared to prior art KVMtechnology, the novel KVM switching functionality disclosed hereinprovides or facilitates functionality and benefits not available withthe prior art, some of which are described below.

In one embodiment, a microcontroller may control the (KVM) switching,and may log a switching event every time a switch action is initiated bythe user, e.g. The user may initiate this action by exercising a dial,switch, or button attached externally to the casing housing the switch.The logged event may be stored to memory attached to the microcontrollerand may include a timestamp, the port to which the session was switched(i.e., the computing system/board which was activated), and/or otherattributes, e.g., environmental elements, which, for example, mayinclude the ID of the user, GPS coordinates obtained from an optionallyintegrated GPS chip, and/or other similar attributes. This log may beused for audit and security verification purposes.

In one embodiment, the microcontroller may be programmed with rules on aone-off basis, or by obtaining a rule set from a network location. Theserules may control some or all aspects of the operation of the switch.Exemplary examples of such rules may include:

a. do not allow switching to Port A during the hours 8 am to 5 pm;

b. if the user switches to Port B, shut the system down;

c. if the user switches to Port A, send a network event via SNMP, Email,Page or any other notification system;

d. if the user switches away from Port A, take any actions describedabove;

e. if the user switches away from Port A, power down the systemconnected to Port A;

f. if the user tries to switch to Port B provide a warning orinformational message on screen; or

g. if the user tries to switch away from Port B, provide a warning orinformational message on an optional LCD attached to the KVM enclosure.Note, however, that the above rules are exemplary only, and are notintended to limit the rules implemented to any particular set of rules.

In another embodiment, the microcontroller may optionally be connectedto a network (IP) port so that a management console or other managementsoftware present on the same network can contact the microcontroller.Once contact is established, this link can be used to perform any ofvarious functions, such as, for example:

a. update the rule set on the microcontroller;

b. change notification settings;

c. adjust time or clock settings;

d. obtain the captured log file (described above);

e. run diagnostic tests;

f. remotely restart the system;

g. remotely force a connection to any available port; or

h. remotely force a shutdown of the system.

Note that the above actions are exemplary only, and are not intended tolimit the actions implemented to any particular set of actions. Notethat each of the logging, audit trail, and rule based operationalaspects described herein are unavailable with prior art systems.

In some embodiments, the above secure KVM technique may be incorporatedin a zero client device. For example, in one embodiment, the zero clientdevice may include a housing, a transcoding processing unit, included inthe housing, and implemented on a first circuit board, and acommunications processing unit, included in the housing, implemented ona second circuit board, and coupled to the transcoding processing unit.The communications processing unit may be configured to connect todevices over a network. The zero client device may further include oneor more processor system boards, also included in the housing, as wellas a KVM (keyboard video mouse) and USB switch, included in the housing,and configured to connect human interface devices to at least one of theone or more processor system boards or the transcoding processing unitin response to user input. The zero client device may have nouser-modifiable storage medium.

The communications processing unit may be configured to determine anidentifier of a server to which connection is desired, and provide anetwork communication channel to the transcoding processing unit foraccessing the server. The transcoding processing unit may be configuredto instantiate the zero client session with the server through thenetwork communication channel provided by the communications processingunit, and may be further configured to receive input data from one ormore human interface devices via the KVM and USB switch, encode theinput data, and provide the encoded input data to the communicationsprocessing unit for transmission over the network to the server via thezero client session.

The communications processing unit may be configured to receive theencoded input data from the transcoding processing unit, transmit theencoded input data over the network to the server via the zero clientsession, receive output data from the server over the network via thezero client session, and send the output data to the transcodingprocessing unit, which may be configured to receive the output data fromthe communications processing unit, decode the output data, and send thedecoded output data to at least one of the one or more human interfacedevices via the KVM and USB switch.

In some embodiments, the communications processing unit may includeVirtual Private Network (VPN) software for securely connecting to theserver over the network, and may be further configured to instantiate aVPN session with the server via the VPN software. The VPN session mayenable communications between components or devices connected to thecommunications processing unit and any systems or networks to which theserver provides access.

In one embodiment, the zero client device may further include a colordisplay front panel, included in or on the housing, and coupled to theKVM and USB switch. The color display front panel may include orimplement a user interface to the KVM and USB switch and provide anindication as to which of the one or more processor system boards andthe at least one transcoding processing unit the user interface devicesare currently connected.

The KVM and USB switch may be further configured to switchably andsimultaneously connect each of the transcoding processing unit and theone or more processor system boards to a respective display device, andthe communications processing unit may be configured with programinstructions implementing software based keyboard and mouse sharing thatallows the keyboard and mouse to span all display devices coupled to thetranscoding processing unit and the one or more processor system boards,respectively.

In some embodiment, audio output from the zero client device may bemultiplexed and fed to a speaker system via a single line out, and audioinputs to the zero client device may be aggregated so that a singlemicrophone feeds the transcoding processing unit and the one or moreprocessor system boards.

In further embodiments, additional security related functionality may beprovided in or by the KVM and USB switch and/or the zero client device.For example, in one embodiment, the KVM and USB switch may include oneor more tamper proof sensors configured to detect whether the housinghas been opened. Exemplary sensors include, but are not limited to,light sensors, contact sensors, magnetic sensors, or any other types ofsensors that can detect whether the zero client housing has been opened.

Moreover, in some embodiments, the KVM and USB switch may be furtherconfigured to perform an action in response to at least one of the oneor more tamper proof sensors detecting that the housing has been opened.Examples of actions that may be performed include, but are not limitedto, one or more of: disable itself (i.e., the KVM and USB switch), useelectrical surges or programmed instructions to disable any connectedzero client devices, log the detection, or use programmed instructionsto send a tamper notification to a connected device of the detection,wherein the tamper notification is useable by the connected device totake its own action, e.g., disable itself, log the detection, or displaythe tamper notification visually, etc.).

FIG. 12—Network Controlled USB/RJ-45 and Audio Switch

FIG. 12 illustrates one embodiment of a network controlled serial/audioswitch. As shown, in one embodiment, multiple RJ-45, USB, and audioinputs may be provided to connect to a single RJ-45, USB, and audiooutput (respectively). For example, in one exemplary embodiment anetwork controlled switch may be provided that includes multiple serial,e.g., RJ-45, inputs, multiple USB inputs, multiple audio inputs, asingle RJ-45 output, a single USB output, a single audio output, andmultiplexing circuitry, connected to each of the multiple RJ-45 inputs,the multiple USB inputs, the multiple audio inputs, the single RJ-45output, the single USB output, and the single audio output. Themultiplexing circuit (and thus, the switch) may be configured to receive(RJ-45) data from the multiple RJ-45 inputs, and provide the (RJ-45)data to the single RJ-45 output. Similarly, multiplexing circuit (andthus, the switch) may be configured to receive (USB) data from themultiple USB inputs, and provide the (USB) data to the single USBoutput. The multiplexing circuit (and thus, the switch) may further beconfigured to receive data (i.e., audio signals) from the multiple audioinputs, and provide the data to the single audio output. Otherembodiments are also contemplated. For example, the particular types ofport categories/protocols may be different, or additionalports/protocols may be included.

As indicated in FIG. 12, in one exemplary embodiment, the switch mayinclude a microcontroller, a memory, coupled to the microcontroller, anetwork connection, coupled to the microcontroller, for providing IP(Internet Protocol) connectivity to a remote server, and switchingcircuitry, coupled to the microcontroller. The switching circuitry maybe configured to connect to multiple computing systems, connect to oneor more user interface devices or serial I/O ports, and receive userinput instructing the switching circuitry to switch to any one of themultiple computing systems to which it is connected.

The memory may store program instructions executable by themicrocontroller to configure the switching circuitry to connect any ofthe multiple computing systems to the one or more interface devices orserial I/O ports, and query a remote server via the network connectionto determine whether the user input instructing the switching circuitryto connect to any of the multiple computing systems is permissible basedon any of a variety of criteria, including, for example, one or more of:time of day, a user identifier (ID) of the user providing the user inputto the switching circuitry, a geographical or network location of theswitch, a type, geographical location, IP address range, or gateway ofthe network connection, a server-defined flag or semaphore, or an ID ofa computing system to which the switching circuitry is instructed toconnect, among others.

Thus, in some embodiments, the switch may include a microcontroller andmemory, similar to the KVM switch discussed above. Accordingly, logging,rules, and network based management functionality similar to thatdescribed above may also be implemented as desired.

In one embodiment, the one or more user interface devices may includeone or more of: one or more display devices, a keyboard, a mouse, or aset of speakers, among others.

In some embodiments, the program instructions may be executable toconfigure the switching circuitry in response to user input to theswitch selecting one of the multiple computing systems for a session,and may be further executable by the microcontroller to log an event inthe memory in response to each switch action initiated by the user. Thelogged event may include, but is not limited to, one or more of: atimestamp, or a port or computing system to which the session wasswitched. The log may be useable for audit and security verificationpurposes, as desired. In one embodiment, the logged event may furtherinclude the ID of the user. In some embodiments, the switch may furtherinclude a GPS (global positioning system) chip configured to provide GPScoordinates of the switch. The logged event may accordingly furtherinclude GPS coordinates obtained from the GPS chip when the switchaction was initiated. In some embodiments, the program instructions maybe further executable by the microcontroller to implement switchingrules for the switch.

In one embodiment, the switch may also include a network IP port forconnecting to a network, and the program instructions may be furtherexecutable by the microcontroller to connect the switch to a networkdevice with management software, and perform one or more functions inresponse to input from the management software.

Additionally, in some embodiments, communications over the networkconnection may be encrypted and/or compressed, via any encryption orcompression schemes desired. Moreover, in one embodiment, the memory maystore Wide Area Network (WAN) optimization software executable by themicrocontroller to optimize communications over the network connection.

It should be noted that each of the above-described system embodimentsmay be used to perform corresponding methods, where each system elementperforms its respective functionality during operation of the system asa method element.

Various embodiments may further include receiving or storinginstructions and/or information implemented in accordance with theforegoing description upon a carrier medium. Suitable carrier media mayinclude storage media or memory media such as magnetic or optical media,e.g., disk or CD-ROM, as well as transmission media or signals such aselectrical, electromagnetic, or digital signals, conveyed via acommunication medium such as a network and/or a wireless link.

Further modifications and alternative embodiments of various aspects ofthe invention will be apparent to those skilled in the art in view ofthis description. Accordingly, this description is to be construed asillustrative only and is for the purpose of teaching those skilled inthe art the general manner of carrying out the invention. It is to beunderstood that the forms of the invention shown and described hereinare to be taken as the presently preferred embodiments. Elements andmaterials may be substituted for those illustrated and described herein,parts and processes may be reversed, and certain features of theinvention may be utilized independently, all as would be apparent to oneskilled in the art after having the benefit of this description of theinvention. Changes may be made in the elements described herein withoutdeparting from the spirit and scope of the invention as described in thefollowing claims.

1. A zero client device, comprising: a housing; a transcoding processingunit, comprised in the housing, wherein the transcoding processing unitis implemented on a first circuit board; a communications processingunit, comprised in the housing and coupled to the transcoding processingunit, wherein the communications processing unit is implemented on asecond circuit board, and wherein the communications processing unit isconfigured to connect to devices over a network; one or more processorsystem boards, comprised in the housing; and a KVM(keyboard/video/mouse) and USB switch, comprised in the housing, andconfigured to connect human interface devices to at least one of the oneor more processor system boards or the transcoding processing unit inresponse to user input; wherein the zero client device has nouser-modifiable storage medium; wherein the communications processingunit is configured to: determine an identifier of a server to whichconnection is desired; provide a network communication channel to thetranscoding processing unit for accessing the server; wherein thetranscoding processing unit is configured to: instantiate the zeroclient session with the server through the network communication channelprovided by the communications processing unit; wherein the transcodingprocessing unit is further configured to: receive input data from one ormore human interface devices via the KVM and USB switch; encode theinput data; and provide the encoded input data to the communicationsprocessing unit for transmission over the network to the server via thezero client session; wherein the communications processing unit isconfigured to: receive the encoded input data from the transcodingprocessing unit; transmit the encoded input data over the network to theserver via the zero client session; receive output data from the serverover the network via the zero client session; and send the output datato the transcoding processing unit; wherein the transcoding processingunit is further configured to: receive the output data from thecommunications processing unit; decode the output data; and send thedecoded output data to at least one of the one or more human interfacedevices via the KVM and USB switch.
 2. The zero client device of claim1, wherein the communications processing unit comprises Virtual PrivateNetwork (VPN) software for securely connecting to the server over thenetwork, and wherein the communications processing unit is furtherconfigured to: instantiate a VPN session with the server via the VPNsoftware, wherein the VPN session enables communications betweencomponents or devices connected to the communications processing unitand any systems or networks to which the server provides access.
 3. Thezero client device of claim 1, further comprising: a color display frontpanel, comprised in or on the housing, and coupled to the KVM and USBswitch, wherein the color display front panel comprises a user interfaceto the KVM and USB switch and provides an indication as to which of theone or more processor system boards and the at least one transcodingprocessing unit the user interface devices are currently connected. 4.The zero client device of claim 1, wherein the KVM and USB switch isfurther configured to switchably and simultaneously connect each of thetranscoding processing unit and the one or more processor system boardsto a respective display device; and wherein the communicationsprocessing unit is configured with program instructions implementingsoftware based keyboard and mouse sharing that allows the keyboard andmouse to span all display devices coupled to the transcoding processingunit and the one or more processor system boards, respectively.
 5. Thezero client device of claim 1, wherein audio output from the zero clientdevice is multiplexed and fed to a speaker system via a single line out,and wherein audio inputs to the zero client device are aggregated sothat a single microphone feeds the transcoding processing unit and theone or more processor system boards.
 6. The zero client device of claim1, wherein the KVM and USB switch comprises one or more tamper proofsensors configured to detect whether the housing has been opened.
 7. Thezero client device of claim 6, wherein the KVM and USB switch is furtherconfigured to perform an action in response to at least one of the oneor more tamper proof sensors detecting that the housing has been opened,and wherein the action comprises one or more of: disable itself; useelectrical surges or programmed instructions to disable any connectedzero client devices; log the detection; or use programmed instructionsto send a tamper notification to a connected device of the detection,wherein the tamper notification is useable by the connected device totake its own action in response to the detection.